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DETAILED ACTION 



1. This Office action is responsive to the following communication: Amendment filed on 2 May 
2007. 

2. Claims 1-4, 6-13, 15-20, 39-42, 44-51, and 53-58 are pending and present for examination. 

Response to Amendment 

3. Claim 1 has been added. 

4. No claims have been cancelled. 

5. No claims have been added. 

Claim Objections 

6. Applicant's Amendment to claim 1 is acknowledged. Accordingly, the objection has been 
withdrawn. 

Claim Rejections - 35 USC § 101 

7. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

8. Claims 1-4, 6-9, 10-13, and 15-17 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

Accordingly, both the apparatus and method claims may be considered to be software, per se, 
since both claims fail to be integrated into a computer hardware system for execution. Therefore, since 
the claims simply recite but simply recite sections and steps of implementation, said claims constitute 
non-statutory subject matter since they fail to fall within a statutory category. 
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Additionally, Claims 6-7 and 15-16 the limitations wherein the user is granted the privilege of 
performing the resource operation "only if the permission bit allows the operation." The aforementioned 
claim language provides for optional language wherein if said permission bit disallows the operation, the 
resource operation is not performed. Hence, the method would therein produce no "useful, concrete, 
and tangible result" in that the electronic document is not expanded. See State Street, 149 F.3d at 1373, 
47 USPQ2d at 1601-02. MPEP 2106. "The claimed invention as a whole must accomplish a practical 
application. That is, it must produce a 'useful, concrete and tangible result' " (emphasis added). The 
Examiner further notes that a plurality of the remaining claims contain optional language by reciting "if" 
statements (e.g. claims 44, 45, and etc.). 



Claim Rejections - 35 USC § 103 

9. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

10. Claim 1-4, 7-11, 13, 16-17, 18-20, 39-42, 45-49, 51 and 54-58 rejected under 35 U.S.C. 
103(a) as being unpatentable over Indicula et al (U.S. Patent No. 6,950,822, hereinafter referred to as 
INDICULA), filed on 25 November 2002, and issued on 27 September 2005, in view of Deinhart et al 
(U.S. Patent No. 5,911,143, hereinafter referred to as DEINHART), filed on 14 August 1995, and issued 
on 8 June 1999. 

11. As per claims 1, 10, 18, 39, 48 and 56, INDICULA, in combination with DEINHART, discloses: 

A method for controlling access to a resource, the method comprising the steps of: 

creating and storing in a filesystem of an Operating System a file that represents the 
resource {See IDICULA, C4:L42-56, wherein this reads over "session objects 122, one or more 
process state objects 130a, 130b, collectively referenced hereinafter as process state objects 130, 
and a session pool object 140. In object-oriented technologies, an object is a data structure that 
stores data that indicates one or more attributes or methods or both"}; 
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receiving user-identifying information from a user requesting access to the resource, 
wherein the user-identifying information comprises a role associated with the 
user {See IDICULA, C5:L11-13, wherein this reads over "user information that indicates a user of 
the associated connection, the user's roles, and the user's privileges, among other information about 
the user"}, wherein the role is determined from a user identifier uniquely 
associated with the user and from a group identifier associated with a group that 
includes the user {See DEINHART, Cl:L31-36, wherein this reads over "[i]n most of the installed 
computer systems access rights are granted or revoked explicitly for individual users or group of 
users on respective data or, more generally; on respective objects by a system administrator"}; 

receiving a resource identifier associated with the resource {See idicula, C7:Li9-35, 
wherein this reads over "[i]f a session is already created for this client, a session object 122 
associated with the client is indicated in the process state object 130"}; 

creating an access identifier based on the user-identifying information and the 
resource identifier, wherein the access identifier is formatted as a file attribute 
that is used by the Operating System to manage file access {See idicula, C4:L42-56, 
wherein this reads over "session objects 122, one or more process state objects 130a, 130b, 
collectively referenced hereinafter as process state objects 130, and a session pool object 140. In 
object-oriented technologies, an object is a data structure that stores data that indicates one or more 
attributes or methods or both"}; 

calling the Operating System to perform a file operation on the file by providing the 
access identifier to the Operation System to attempt access to the file {See 
IDICULA, Cl:L52-62, wherein this reads over "[a] session is a related series of one or more requests 
for services made over a communication channel. The channel is typically established by the 
operating system of the host for the database server"; and C7:L19-30, wherein this reads over w [i]f a 
session is already created for this client, a session object 122 associate with the client is indicated in 
the process state object 130; and that session object 122 is used"}; and 

granting the user access to the resource when the Operating System call successfully 
performs the file operation {See IDICULA, C7:L20-21, wherein this reads over "a request is 
received from database client 102a for database services"}; 

wherein the file operation on the file representing the resource is selected from a 
group consisting of opening the file, closing the file, deleting the file, reading 
from the file, writing to the file, executing the file, appending to the file, reading 
a file attribute, and writing a file attribute .{See idicula, C7:Li9-30, wherein this reads 

over *[i]f a session is already created for this client, a session object 122 associate with the client is 
indicated in the process state object 130; and that session object 122 is used"}. 

While INDICULA fails to expressly disclose the determination of a role "from a user 

identifier uniquely associated with the user and from a group identifier associated with a group that 

includes the user," DEINHART discloses the grant or revocation of access rights for "individual users or 

group of users ... on respective objects." Therefore, it would have been obvious to one of ordinary skill 

in the art at the time the invention was made to modify the above invention suggested by INDICULA by 

combining it with the invention disclosed by DEINHART. 
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One of ordinary skill in the art would have been motivated to do this modification so that where a 
user falls within a classified group of users (e.g. System Administrator or Guest), a user identifier may be 
associated with the user accordingly. 



12. As per dependent claims 2, 11, 19, 40, 49 and 57, it would be inherent for the role 
identifier and resource identifier to be stored in a first and second set of bits, respectively, since files are 
comprised of a sequence of bits. 

13. As per dependent claims 3, 20, 41 and 58, INDICULA, in combination with DEINHART, 
discloses: 

A method as recited in Claim 1, wherein: 

the step of creating an access identifier based on the user-identifying information 
and the resource identifier comprises formatting the access identifier as a group 
identifier file attribute {See DEINHART, Cl:L31-36, wherein this reads over "[i]n most of the 
installed computer systems access rights are granted or revoked explicitly for individual users or 
group of users on respective data or, more generally, on respective objects by a system 
administrator"}; and 

the step of calling the Operating System to perform an operation on the file 
representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an Operating 
System process {See IDICULA, C4:L42-56, wherein this reads over "session objects 122, 
one or more process state objects 130a, 130b, collectively referenced hereinafter as process 
state objects 130, and a session pool object 140. In object-oriented technologies, an object is a 
data structure that stores data that indicates one or more attributes or methods or both"}; and 

calling an Operating System routine from the Operating System process to 
perform the operation on the file representing the resource {See idicula, 
Cl:L52-62, wherein this reads over "[a] session is a related series of one or more requests for 
services made over a communication channel. The channel is typically established by the 
operating system of the host for the database server"; and C7:L19-30, wherein this reads over 
"[i]f a session is already created for this client, a session object 122 associate with the client is 
indicated in the process state object 130; and that session object 122 is used"}. 

14. As per dependent claims 4, 13, 42 and 51, INDICULA, in combination with DEINHART, 
discloses: 

A method as recited in Claim 1, 

wherein the step of calling the Operating System to perform an operation on the file 
representing the resource comprises comparing the access identifier to an 
identifier included in an Access Control List file attribute associated with the file 
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representing the resource {See DEINHART, C1:L31-41, wherein this reads over "[w]hen an 
access request occurs during operation time of the computer system from a user or, more generally, 
from a subject to the object, then the security system looks at the access control list of the respective 
object and decides whether the subject may access the object in the request manner"}, 

wherein the Access Control List file attribute includes the identifiers of all users and 
all groups of users allowed to access the file representing the resource {See 
DEI N HART, Cl:L31-36, wherein this reads over "[i]n most of the installed computer systems access 
rights are granted or revoked explicitly for individual users or group of users on respective data or, 
more generally, on respective objects by a system administrator"}. 

15. As per dependent claims 7, 16, 45 and 54, the claim does not carry patentable weight since 
the claim recites the file operation of "opening the file representing the resource/' which was optionally 
recited in claims 1, 10, 18, 22, 31, 39, 48 and 56 (i.e. "wherein the file operation on the file representing 
the resource is selected from a group consisting of opening the file, closing the file, deleting the file, 
reading from the file, writing to the file, executing the file, appending to the file, reading a file attribute, 
and writing a file attribute")/ upon which the said respective claims depend. Therefore, since the opening 
of the file is optional and not necessary to the claimed invention, the claim is rejected. 

16. As per dependent claims 8, 17, 46 and 55, INDICULA, in combination with DEINHART, 
discloses: 

A method as recited in Claim 1, wherein the step of representing the resource by a file 
stored in the Operating System filesystem. comprises: 

creating the file representing the resource in the Operating System filesystem {See 
IDICULA, C4:L42-56, wherein this reads over "session objects 122, one or more process state objects 
130a, 130b, collectively referenced hereinafter as process state objects 130, and a session pool 
object 140. In object-oriented technologies, an object is a data structure that stores data that 
indicates one or more attributes or methods or both"}; and 

assigning an access value to a file attribute of the file representing the resource, the 
file attribute being used by the Operating System to manage file access {See 
IDICULA, C4:L42-56, wherein this reads over "session objects 122, one or more process state objects 
130a, 130b, collectively referenced hereinafter as process state objects 130, and a session pool 
object 140. In object-oriented technologies, an object is a data structure that stores data that 
indicates one or more attributes or methods or both"}, wherein the access value 
corresponds to a combination Of a role {See IDICULA, C5:I_1M3, wherein this reads over 
"user information that indicates a user of the associated connection, the user's roles, and the user's 
privileges, among other information about the user"} and a resource {See IDICULA, C7:L19-35, 
wherein this reads over "[i]f a session is already created for this client, a session object 122 
associated with the client is indicated in the process state object 130"}. 
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17. As per dependent claims 9 and 47, INDICULA, in combination with DEINHART, discloses: 



A method as recited in Claim 8, wherein the file attribute used by the Operating System 
to manage file access is a group identifier file attribute {See deinhart, ci:i_3i-36, wherein 
this reads over w [i]n most of the installed computer systems access rights are granted or revoked explicitly 
for individual users or group of users on respective data or, more generally, on respective objects by a 
system administrator"}. 

18. Claims 6, 12, 15, 44, 50 and 53 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Indicula et al, in view of Deinhart et al, and in further view of Lewis (U.S. Patent No. 6,233,576, 
hereinafter referred to as LEWIS), filed on 25 September 1995, and issued on 15 May 2001. 

19. As per dependent claims 6, 15, 44 and 53, INDICULA, in combination with DEINHART and 
LEWIS, discloses: . 

A method as recited in Claim 1, the method further comprising the steps of: 

reading a permission bit associated with the file representing the resource, wherein 
the permission bit corresponds to the operation performable on the file 
representing the resource {See LEWIS, 014:1.6-12, wherein this reads over "derive the 
authorization file names and the permission bits (from the resource class and name), and to apply 
the appropriate permissions"}; 

based on the operation on the file indicated by the permission bit, determining a 
resource operation that is performable on the resource {See lewis, ci6:L64-ci7:L4, 
wherein this reads over "[t]he resulting access rights consist of a three bit filed with the following 
meanings . . ."}; and 

granting the user the privilege of performing the resource operation on the resource 
{See DEINHART, C1:L31-41, wherein this reads over "[w]hen an access request occurs during 
operation time of the computer system from a user or, more generally, from a subject to the object, 
then the security system looks at the access control list of the respective object and decides whether 
the subject may access the object in the request manner"} only if the permission bit allows 
the operation to be performed on the file representing the resource {See lewis, 

C17:L5-9}. 

While INDICULA and DEINHART fail to expressly disclose the use of permission bits in 
determining user privileges, LEWIS discloses the use of permission bits which signify Read, Write, or 
Execute authority. Therefore, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to modify the above invention suggested by INDICULA and DEINHART by 



combining it with the invention disclosed by LEWIS. 
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One of ordinary skill in the art would have been motivated to do this modification so that files 
may contain permission bits which allow users the permission to certain operations on the file. 

20. Claims 6, 12, 15, 44, 50 and 53 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Indicula et al, in view of Deinhart et al, and in further view of Official Notice. 

21. As per dependent claims 12 and 50, INDICULA, in combination with DEINHART and Official 
Notice, discloses: 

A method as recited in Claim 10, wherein the step of making an Operating System call to 
perform an operation on the file representing the resource comprises: 

storing the group identifier value of a group identifier attribute of an Operating 
System process {See DEINHART, Cl:L31-36, wherein this reads over M [i]n most of the installed 
computer systems access rights are granted or revoked expiicitly for individual users or group of 
users on respective data or, more generally, on respective objects by a system administrator"}; 

assigning the access identifier to the group identifier attribute of the Operating 
System process {See IDICULA, C4:L42-56, wherein this reads over "session objects 122, one or 
more process state objects 130a, 130b, collectively referenced hereinafter as process state objects 
130, and a session pool object 140. In object-oriented technologies, an object is a data structure 
that stores data that indicates one or more attributes or methods or both"}; 

calling an Operating System routine from the Operating System process to perform 
the operation on the file representing the resource {See idicuu, ci:L52-62, wherein 
this reads over "[a] session is a related series of one or more requests for services made over a 
communication channel. The channel is typically established by the operating system of the host for 
the database server"; and C7:L19-30, wherein this' reads over *[i]f a session is already created for 
this client, a session object 122 associate with the client is indicated in the process state object 130; 
and that session object 122 is used"}, wherein the operation on the file representing the 
resource is performed only if the value of the group identifier attribute of the 
Operating System process matches the value of the group identifier file attribute 
of the file representing the resource {See idicula, C7:L20-2i, wherein this reads over M a 
request is received from database client 102a for database services"}; and 

resetting the group identifier attribute of the Operating System process to the stored 
group identifier value {See Official Notice}. 

The Examiner takes Official Notice that it would have been obvious to one of ordinary skill in the 
art at the time the invention was made to reset the group identifier attribute of the Operating System 
process to the stored group identifier value. That is, where a group identifier is set, it would have been 
obvious to one of ordinary skill in the art to have the capability to reset said group identifier attribute 



accordingly. 
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Response to Arguments 

22. Applicant's arguments filed 2 May 2007 have been fully considered but they are not persuasive, 
a. Rejections under 35 U.S.C. 101 

Applicant asserts the argument that method claims 1-4, 6-13, and 15-17 recite a 
process. The Examiner respectfully disagrees in that the method may be considered 
software, per se, since the claims simply recite non-functional descriptive material. That 
is, wherein the methods are not embodied on a form of computer-readable medium, said 
methods are not functional as they may not be performed by a computer. With respect 
to the claims 56-58 which are directed towards an apparatus, the rejections under 35 
U.S.C. 101 have been withdrawn. 

Additionally, Applicant asserts the argument that "claims 6-7 and 15-16, by virtue 
of their dependency, also produce that same 'useful, concrete, and tangible result.'" See 
Amendment, page 21. It is noted that claims 1 and 10 have been appropriately rejected 
under. 35 U.S.C. 101 above for failing to produce a "useful, concrete, and tangible, result." 
Furthermore, while Applicant asserts the argument that "[w]hat happens under other 
conditions is irrelevant and there is no statutory or judicial requirement to recite every 
possible functional permutation in a claim," it is noted that the if-condition present in 
claims 6-7 and 15-16 deem the method steps of "granting the user the privilege" and 
"enabling the user to perform the resource operation" optional. That is, when the if- 
conditions are not satisfied, the claims as recited would not provide for any "useful, 
concrete, and tangible result." It is advised that Applicant replace the "if" terminology 
with "when." 

Accordingly, for the .aforementioned reasons above, the claim rejections under 
35 U.S.C. 101 are sustained. 
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b. Rejections under 35 U.S.C. 103 

i. Applicant asserts the argument that Idicula fails to teach or suggest "creating 
and storing in a filesystem of an Operating System a file that represents the resource." 
See Amendment, page 23. The Examiner respectfully disagrees. The Examiner directs 
the Applicant to the disclosed portion of Idicula which provides prior art knowledge of 
session objects. See Idicula, col. 1, line 52 - col. 2, line 5: It is noted that the 
aforementioned portion of Idicula discloses that a "session object is a data structure that 
stores information that supports a session" which would read upon the storing of a file in 
a filesystem. While Applicant asserts the argument that a "session object 122 cannot be 
a file," one of ordinary skill in the art would readily acknowledge and know that wherein 
a session object takes the form of a data structure (i.e. a file), said session object file 
would be stored in some sort of a filesystem. That is, while session objects indeed reside 
in memory, session objects must necessarily also reside in some sort of filesystem which 
allows for access of said session objects. Additionally, Applicant asserts the argument 
that "there is nothing in Idicula that represents a session object 122." See Amendment, 
page 24. It is noted for purposes of clarification that Idicula discloses a "database 
session object may also contain references to the database and database schema 
associated with the request" wherein the database session object (i.e. the file) 
represents the database (i.e. the resource). 

ii. Applicant asserts the argument that Idicula fails to teach or suggest "creating an 
access identifier . . . , wherein the access identifier is formatted as a file attribute that is 
used by the Operating System to manage file access." See Amendment, page 24. The 
Examiner respectfully disagrees in that Idicula indeed discloses the creation of session 
information (i.e. the access identifier) which includes security information, identifying 
clients and users (i.e. the user-identifying information) associated with a resource 
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request (i.e. the resource identifier). See Idicula, col. 1, lines 52-67 and col. 5, lines 10- 
32. 

iii. Applicant asserts the argument that Idicula fails to teach or suggest "calling the 
Operating System to perform a file operation on the file by providing the access identifier 
to the Operating System to attempt access of the file." See Amendment, page 25. The 
Examiner respectfully disagrees. It is noted that Idicula discloses a system wherein the 
contents of a session object (e.g. session information) are checked to see if a session has 
already been created for a client. Upon finding that a session object associated with the 
client is indicated in the process state object (i.e. the file operation), the client is then 
allowed to received the requested database services from the database. 

iv. Applicant asserts the argument that Idicula fails to teach or suggest "granting 
the user access to the resource when the Operating System call successfully performs 
the file operation." See Amendment, page 26. The Examiner respectfully disagrees in 
that, as mentioned above, a client seeking database services passes a request to an 
Operating System. Within the passing of the request, client information associated with 
the session and resource are called and passed on to the Operating System. With the 
client information, the Operating System attempts to read the session object, searching 
for the presence of an existing session for the client. Wherein the Operating System 
successfully finds an existing session for the client, the client is then granted access to 
the database (i.e. the resource). 

Accordingly, for the aforementioned reasons above, the claim rejections under 
35 U.S.C. 103 are sustained. 



Conclusion 

23. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set 
forth in 37 CFR 1.136(a). 



Application/Control Number: 10/698,498 



Page 12 



Art Unit: 2161 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 
date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the mailing date of this final action. 

24. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Paul Kim whose telephone number is (571) 272-2737. The examiner can* normally be 
reached on M-F, 9am - 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Apu 
Mofiz can be reached on (571) 272-4080. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 
866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Patent Examiner, Art Unit 2161 
TECH Center 2100 
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